PRA has a cyber challenge message for insurers

PRA has a cyber challenge message for insurers | Insurance Business

Specialist general insurance firms regulated by the Prudential Regulation Authority (PRA) have until the middle of the year to come up with an action plan to address silent cyber risk.

In a letter to chief executives, PRA insurance supervision director Anna Sweeney provided feedback on the major takeaways from a 2018 survey on cyber insurance underwriting risk and also highlighted the areas where the regulator believes insurers can do more to ensure the prudent management of cyber risk exposures.

“The survey results suggest that although some work has been done, more ground needs to be covered by firms especially in relation to non-affirmative cyber risk management, risk appetite, and strategy,” Sweeney wrote in the letter seen by Insurance Business.

According to the director, nearly all of the respondents agreed that several traditional lines of business have considerable exposure to non-affirmative, or silent, cyber risk.

“Casualty, financial, motor, and A&H (accident and health) lines were noted to have the largest non-affirmative exposure,” she said. “Firms were also aligned in their view of low non-affirmative exposure for energy lines of business, mainly due to the application of exclusion CL380, a widely-used exclusion across marine lines.

“There was significant divergence in firms’ views of the potential exposure within property, marine, aviation, and transport (MAT), and miscellaneous lines. Firms estimated their exposure to non-affirmative cyber risk on these lines to be anywhere between zero and the full limits.”

The PRA official added that some of the variation may be explained by differences in the underlying portfolios and the extent to which companies have felt able to introduce sufficiently robust exclusions and/or limits.

“However, much of the divergence is likely to be reflective of differences in firms’ perception of risk,” wrote Sweeney. “This suggests that some firms should give further thought to the potential for cyber exposure within these specific portfolios.”

In addition, she pointed to “not well-developed” quantitative assessments of non-affirmative risk.

Sweeney noted that organisations cited challenging market conditions, broker pressure, and lack of historic data, models, and expertise as the main obstacles as far as prudential management of cyber underwriting risk is concerned.

“We appreciate these challenges but do not believe they are insurmountable,” she told insurance bosses. “We also welcome recent announcements about individual firms’ efforts to manage non-affirmative cyber risk in their books of business.

“The responsibility is on firms to progress their work and fully align with the expectations set out in SS4/17 (supervisory statement). In relation to the expectation that firms reduce the unintended exposure to non-affirmative cyber risk, insurers should develop an action plan by H1 2019 with clear milestones and dates by which action will be taken.”

Meanwhile the PRA has engaged with several regulatory authorities and international forums to develop what Sweeney described as a coordinated approach.